This is a great idea. I now exclusively use SSH keys on hardware security modules of some kind. I use "Secretive", a mac app that does the same, plus a yubikey using yubikey-agent (https://github.com/FiloSottile/yubikey-agent; there are too many complicated ways to use SSH keys with a yubikey this is one of the friendliest ones). Depending on the security and frequency of which I access the service impacts whether I need presence confirmation or use secretive versus the yubikey.

I would be remiss to mention there are existing SSH TPM projects, not sure how this one differentiates. It seems to at least have the user experience pretty simple, similar to yubikey-agent (and secretive), and unlike some of the existing solutions which have quite a few extra steps: https://github.com/tpm2-software/tpm2-pkcs11/blob/master/doc...

I really love it when projects like this address there are "competitors" or other software in the space and provide a fair comparison. It would be great to see one of those here :) For example you can easily use SSH FIDO keys but they aren't supported by all server sides, ECDSA keys often are (though not always!) etc :)

The ; got included in the yubikey-agent URL: https://github.com/FiloSottile/yubikey-agent

Thanks for those pointers!